Cisco Cisco Web Security Appliance S160 Guía Del Usuario
8-2
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 8 Integrate the Cisco Identity Services Engine
Identity Services Engine Certificates
About the ISE Server Deployment and Failover
A single ISE node set-up is called a “standalone deployment,” and this single node runs the Administration,
Policy Service, and Monitoring personae. To support failover and to improve performance, you must set
up multiple ISE nodes in a “distributed deployment.” The minimum required distributed ISE configuration
to support ISE failover on your Web Security appliance is:
Policy Service, and Monitoring personae. To support failover and to improve performance, you must set
up multiple ISE nodes in a “distributed deployment.” The minimum required distributed ISE configuration
to support ISE failover on your Web Security appliance is:
•
Two pxGrid nodes
•
Two Monitoring nodes
•
Two Administration nodes
•
One Policy Service node
This configuration is referred to in the Cisco Identity Services Engine Hardware Installation Guide as a
“
“
.” Refer to that network deployments section in the Installation
Guide for additional information.
Related Topics
•
•
•
•
Identity Services Engine Certificates
Note
This section describes the certificates necessary for ISE connection.
, provides general certificate-management information for AsyncOS.
A set of three certificates are required for mutual authentication and secure communication between the
Web Security appliance and each ISE server:
Web Security appliance and each ISE server:
•
WSA Client Certificate – Used by the ISE server to authenticate the Web Security appliance.
•
ISE Admin Certificate – Used by the Web Security appliance to authenticate the ISE server on
port 443 for bulk download of ISE user-profile data.
port 443 for bulk download of ISE user-profile data.
•
ISE pxGrid Certificate – Used by the Web Security appliance to authenticate the ISE server on
port 5222 for WSA-ISE data subscription (on-going publish/subscribe queries to the ISE server).
port 5222 for WSA-ISE data subscription (on-going publish/subscribe queries to the ISE server).
These three certificates can be Certificate Authority (CA)-signed or self-signed. AsyncOS provides the
option to generate a self-signed WSA Client Certificate, or a a Certificate Signing Request (CSR)
instead, if a CA-signed certificate is needed. Similarly, the ISE server provides the option to generate
self-signed Admin and pxGrid certificates, or CSRs instead, if CA-signed certificates are needed.
option to generate a self-signed WSA Client Certificate, or a a Certificate Signing Request (CSR)
instead, if a CA-signed certificate is needed. Similarly, the ISE server provides the option to generate
self-signed Admin and pxGrid certificates, or CSRs instead, if CA-signed certificates are needed.
Please note the following caveats regarding both the WSA- and ISE-related certificates:
•
In the case of self-signed certificates, the ISE pxGrid and Admin certificates both must in the
Trusted Certificates list on the ISE server, and the WSA Client certificate also must be in the ISE
Trusted Certificates list.
Trusted Certificates list on the ISE server, and the WSA Client certificate also must be in the ISE
Trusted Certificates list.
•
In the case of CA-signed certificates:
–
The appropriate CA root certificate must be present in the Trusted Certificates list on the ISE
server (Administration > Certificates > Trusted Certificates).
server (Administration > Certificates > Trusted Certificates).